search

$I30

Keeps track of what files exist in what directories.

LogoNTFS $I30 Index Attributes: Evidence of Deleted and Overwritten FilesSANS Institutechevron-right
LogoNTFS Index Attributeswww.forensicsmyanmar.comchevron-right

File Location:

hashtag
Parse Data

hashtag
Considerations

hashtag
What is $I30

$BITMAP:

  • Tracks which index records are in use.

$INDEX_ROOT:

  • Only resident files and a small # of files.

$INDEX_ALLOCATION:

  • Non-resident and a large # of files.

INDEX_ROOT + INDEX_ALLOCATION + $BITMAP = $I30

hashtag
What data does it contain?

  • Full filename

  • Parent directory (useful if you recover a $I30 file in free space and do not know its origin)

  • File size

  • Creation Time

  • Modification Time

  • MFT Change Time

  • Access Time

$FILE_NAME attribute timestamps and not $STANDARD_INFORMATION timestamps

hashtag
Anti-Forensics

  • Provides a seperate set of timestamps to be compared for timestomping.

  • $I30 slack space may hold evidence of deleted files within directories.

PreviousVolume Shadow CopiesNextUsnJournal/$LogFile

Last updated